The Git repository contains the following directories:
📁
├──📁 ansible
│ └──📁 playbooks
└──📁 kubernetes
├──📁 apps
│ ├──📁 authentik
│ │ └──📁 authentik
│ ├──📁 dashboard
│ │ ├──📁 homarr
│ │ └──📁 homepage
│ ├──📁 media
│ │ ├──📁 decluttarr
│ │ ├──📁 flaresolver
│ │ ├──📁 jellyfin
│ │ ├──📁 jellyseer
│ │ ├──📁 prowlarr
│ │ ├──📁 qbittorrent
│ │ ├──📁 radarr
│ │ ├──📁 recyclarr
│ │ └──📁 sonarr
│ ├──📁 muse
│ │ └──📁 muse
│ ├──📁 ntfy
│ │ └──📁 ntfy
│ ├──📁 pihole
│ │ └──📁 pihole
│ ├──📁 semaphore
│ │ └──📁 semaphore
│ └──📁 speedtest-tracker
│ └──📁 speedtest-tracker
└──📁 infra
├──📁 cert-manager
│ └──📁 cert-manager
├──📁 cloudflare-ddns
├──📁 databases
│ ├──📁 dragonfly
│ └──📁 postgres
├──📁 external-dns
│ ├──📁 cloudflare
│ └──📁 cloudflare-ddns
├──📁 flux
│ ├──📁 repositories
│ ├──📁 sources
│ └──📁 vars
├──📁 longhorn
│ └──📁 longhorn
├──📁 metallb
│ └──📁 metallb
├──📁 pod-gateway
│ └──📁 pod-gateway
├──📁 reflector
│ └──📁 reflector
├──📁 reloader
│ └──📁 reloader
├──📁 secrets
│ └──📁 external-secrets
├──📁 system-upgrade
│ └──📁 system-upgrade-controller
└──📁 traefik
└──📁 traefikThe following apps are installed on the clusters.
| Software | Purpose |
|---|---|
| Authentik | Modern identity provider for authentication and access management. |
| Homarr | Sleek, modern dashboard for managing services. |
| Homepage | Customizable homepage dashboard for service management. |
| Decluttarr | Automated media organization and decluttering tool. |
| Flaresolverr | Bypasses Cloudflare and DDoS protections. |
| Jellyfin | Media server. |
| Jellyseer | Media discovery and management for Jellyfin. |
| Prowlarr | Indexer manager for media automation. |
| Qbittorrent | Torrent client. |
| Radarr | Automated movie download tool. |
| Recyclarr | Notifications and monitoring tool for media services. |
| Sonarr | Automated TV show download tool. |
| Muse | Self-hostable Discord music bot. |
| Ntfy | Push notifications. |
| Pihole | Network-wide ad blocker and DNS service. |
| Semaphore | Continuous integration and delivery tool. |
| Speedtest Tracker | Internet speed tracking tool. |
| Flux | GitOps tool managing the cluster. |
| Cert-Manager | Manages Let's Encrypt certificates with Cloudflare DNS integration. |
| Cloudflare DDNS | Dynamic DNS updater for Cloudflare. |
| Dragonfly | High-performance in-memory datastore. |
| Crunchy PG Operator | Operator for managing PostgreSQL clusters. |
| External DNS | Automates DNS record management for Kubernetes resources. |
| Longhorn | Persistent block storage provisioner. |
| MetalLB | Bare metal load balancer. |
| Pod-gateway | Routes traffic from pods to a gateway for VPN access. |
| Reflector | Proxies and mirrors Docker registries. |
| Reloader | Watches changes in ConfigMaps and Secrets to trigger pod restarts. |
| External Secrets | Integrates external secret management systems into Kubernetes. |
| System Upgrade Controller | Automates k3s upgrades. |
| Traefik | Edge router and load balancer. |
| Device | Count | OS Disk Size | Data Disk Size | Ram | Operating System | Purpose |
|---|---|---|---|---|---|---|
| Turing RK1 | 4 | 2TB NVMe | - | 16GB | Ubuntu | Cluster Nodes |
| Turing Pi 2 | 1 | - | - | - | - | Baseboard and KVM |
| CWWK AMD-7940HS | 1 | 1TB NVMe | 8TB HDD (2x) | 32GB | Proxmox | NAS/Cluster Nodes |
Renovate Bot makes sure the components are never outdated.
It creates PullRequests when Helm charts or Docker images have newer versions available and even keeps Flux and k3s up-to-date.
Flux supports SOPS in particular AGE, you can encrypt your secrets locally with age and then flux will decrypt them when it applies the manifests. All my secrets are encrypted on my local machine and decrypted by Flux when it applies the manifests.
I'm using Cloudflare for external DNS and have a wildcard A record pointing to my traefik instance. Internally I'm using PiHole for DNS resolution, these are injected into the pods via the hosts configmap.